by 安全扫描
OpenClaw
可疑
high confidenceThe skill legitimately implements DingTalk contact queries, but its metadata omits the credentials it actually requires and the bundled helper will persist secrets to disk and execute shell scripts—this mismatch and persistence are concerning and worth explicit attention.
评估建议
This skill does what it says (DingTalk contact lookups) but has some operational and metadata mismatches you should consider before installing:
- The package metadata declares no required credentials, but the skill requires DINGTALK_APP_KEY and DINGTALK_APP_SECRET (and may ask for DINGTALK_MY_USER_ID). Expect the skill to prompt you for these and to persist them.
- The helper (scripts/dt_helper.sh) stores AppKey/AppSecret and cached tokens in a plaintext file by default at ~/.dingtalk-skills/co...详细分析 ▾
⚠ 用途与能力
The skill's name/description match the included scripts and API references (search users/departments, get user details, unionId/userId conversion). However, the registry metadata declares no required environment variables or primary credential, while SKILL.md and scripts clearly require and manage DINGTALK_APP_KEY and DINGTALK_APP_SECRET (and optionally DINGTALK_MY_USER_ID). That omission is an incoherence: a contact-directory skill would reasonably need app credentials, but the metadata should have declared them.
⚠ 指令范围
SKILL.md instructs the agent to read/write a persistent config file (default ~/.dingtalk-skills/config) via scripts/dt_helper.sh, to cache tokens, and to write multi-line task scripts to /tmp/<task>.sh and execute them. Those actions go beyond simple read-only API calls: the skill will persist secrets and run generated shell scripts. While these are functionally required for token management, they expand the runtime footprint and create opportunities for misuse if commands are constructed incorrectly or if the config is exposed.
✓ 安装机制
There is no install spec (instruction-only plus one bundled helper script). No external downloads or package installs are performed. The bundled shell script is included in the skill package, so nothing is pulled from arbitrary URLs at install time.
⚠ 凭证需求
Although registry metadata lists no required env vars, SKILL.md and scripts expect and manage DINGTALK_APP_KEY and DINGTALK_APP_SECRET (required) and may use DINGTALK_MY_USER_ID and DINGTALK_CONFIG. The script also writes access tokens and secrets into a plaintext config file. Asking for app key/secret is proportionate to the stated purpose, but failing to declare them in metadata and persisting them unencrypted is a notable mismatch and risk.
ℹ 持久化与权限
The skill persistently stores credentials and tokens under a per-user config file (~/.dingtalk-skills/config) and caches tokens. always:false and no cross-skill modification are fine. The persistence behavior is expected for token caching, but users should be aware credentials are stored on disk in clear form (the script attempts to mask output but does not encrypt the file). The skill also writes temporary scripts to /tmp and executes them.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/13
- Initial release of dingtalk-contact skill. - Supports comprehensive DingTalk contact and address book queries, including user and department search, user info, department members, organizational structure, and statistics. - Implements robust config management via scripts for AppKey/AppSecret and user identification, with secure credential handling. - Includes detailed workflow and decision logic for all address book operations. - Provides sample bash script templates and API extraction commands for further integration and referencing.
● 无害
安装命令 点击复制
官方npx clawhub@latest install dingtalk-contact
镜像加速npx clawhub@latest install dingtalk-contact --registry https://cn.clawhub-mirror.com
技能文档
负责钉钉通讯录的所有查询操作。本文件为策略指南,仅包含决策逻辑和工作流程。完整 API 请求格式见文末「references/api.md 查阅索引」。
工作流程(每次执行前)
- 读取/写入配置 → 通过
scripts/dt_helper.sh管理,配置跨会话保留,无需重复询问 - 仅收集缺失配置 → 若缺少某项,一次性询问用户所有缺失的值,用
bash scripts/dt_helper.sh --set KEY=VALUE写入 - 获取 Token → 直接调用
dt_helper.sh即可,token 如何获取/缓存无需关注 - 执行操作 → 凡是包含变量替换、管道或多行逻辑的命令,写入
/tmp/再.sh bash /tmp/执行。不要把多行命令直接粘到终端里(终端工具会截断),也不要用.sh <<'EOF'语法(heredoc 在工具中同样会被截断导致变量丢失)
凭证禁止在输出中完整打印,确认时仅显示前 4 位 + *所需配置
| 配置键 | 必填 | 说明 | 如何获取 |
|---|---|---|---|
DINGTALK_APP_KEY | ✅ | 应用 AppKey | 钉钉开放平台 → 应用管理 → 凭证信息 |
DINGTALK_APP_SECRET | ✅ | 应用 AppSecret | 同上 |
DINGTALK_MY_USER_ID | ❌ | 当前操作用户的 userId(即运行此技能的人自己),仅在需要以自身为起点查询时才需要 | 管理后台 → 通讯录 → 成员管理 → 点击姓名查看 |
身份标识说明
| 标识 | 说明 |
|---|---|
userId(= staffId) | 企业内部员工 ID,可通过通过管理后台 -> 通讯录 -> 成员管理 -> 点击姓名查看 |
unionId | 跨企业/跨应用唯一标识,可通过bash scripts/dt_helper.sh --to-unionid 获取 |
执行脚本模板
#!/bin/bash
set -e
HELPER="/scripts/dt_helper.sh"
NEW_TOKEN=$(bash "$HELPER" --token) # api.dingtalk.com 接口用
OLD_TOKEN=$(bash "$HELPER" --old-token) # oapi.dingtalk.com 接口用
# USER_ID=$(bash "$HELPER" --get DINGTALK_MY_USER_ID) # 以当前操作用户为起点时启用# 在此追加具体 API 调用,例如按姓名搜索用户并获取详情:
KEYWORD="张三"
SEARCH=$(curl -s -X POST https://api.dingtalk.com/v1.0/contact/users/search \
-H "x-acs-dingtalk-access-token: $NEW_TOKEN" \
-H 'Content-Type: application/json' \
-d "{\"queryWord\":\"$KEYWORD\",\"offset\":0,\"size\":20}")
echo "搜索结果: $SEARCH"
TARGET_UID=$(echo "$SEARCH" | grep -o '"list":\["[^"]"' | grep -o '"[^"]*"$' | tr -d '"')
DETAIL=$(curl -s -X POST "https://oapi.dingtalk.com/topapi/v2/user/get?access_token=${OLD_TOKEN}" \
-H 'Content-Type: application/json' \
-d "{\"userid\":\"$TARGET_UID\",\"language\":\"zh_CN\"}")
echo "用户详情: $DETAIL"
Token 失效处理:dt_helper 仅按时间缓存,无法感知 token 被提前吊销。若 API 返回errcode 40001/40014(token 无效/过期),用--nocache跳过缓存强制重新获取:> OLD_TOKEN=$(bash "$HELPER" --old-token --nocache) # 强制重新获取旧版 token
NEW_TOKEN=$(bash "$HELPER" --token --nocache) # 强制重新获取新版 token
references/api.md 查阅索引
确定好要做什么之后,用以下命令从references/api.md 中提取对应章节的完整 API 细节(请求格式、参数说明、返回值示例):
grep -A 30 "^## 1. 按关键词搜索用户" references/api.md
grep -A 50 "^## 2. 获取用户完整详情" references/api.md
grep -A 20 "^## 3. unionId → userId 转换" references/api.md
grep -A 18 "^## 4. 企业员工总人数" references/api.md
grep -A 25 "^## 5. 按关键词搜索部门" references/api.md
grep -A 25 "^## 6. 获取子部门列表" references/api.md
grep -A 20 "^## 7. 获取子部门 ID 列表" references/api.md
grep -A 25 "^## 8. 获取部门详情" references/api.md
grep -A 40 "^## 9. 获取部门成员完整列表" references/api.md
grep -A 18 "^## 10. 获取部门成员 userId 列表" references/api.md
grep -A 20 "^## 11. 获取用户所在部门路径" references/api.md
grep -A 12 "^## 错误码" references/api.md
grep -A 6 "^## 所需应用权限" references/api.md
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制